Art29WP and EDPS respond to e-Privacy Directive consultation

Who: Article 29 Working Party (Art29WP) and European Data Protection Supervisor (EDPS)

Where: EU

When: July 2016

Law stated as at: 8 September 2016

What happened:

In July 2016, both the Art29WP and the EDPS issued their respective opinions on the evaluation and review of the e-Privacy Directive.

A brief background to the e-Privacy Directive

The intention of the e-Privacy Directive is to complement the existing EU Data Protection Directive (which is implemented in the UK by the Data Protection Act 1998), by setting out specific rules for the processing of personal data and the protection of privacy in the electronic communications sector.

It is most well-known to marketers as the “cookie law”, after amendments in 2009 introduced a requirement to obtain consent to store or access information stored on a subscriber or user’s terminal equipment, i.e. to use cookies and similar technologies. It also includes rules on direct marketing by electronic means and the use of location data (although the latter strictly only apply to telecoms providers, at the moment…).

The e-Privacy Directive has, for some time, been in need of review. Since the adoption of the e-Privacy Directive back in 2002, significant technological and regulatory developments (including the adoption of the General Data Protection Regulation (the “GDPR“) in April this year) have taken place. As part of its Digital Single Market strategy (and you can find out more about that here), the European Commission committed to review the e-Privacy Directive. It terms the review as “one of the key initiatives aimed at reinforcing trust and security in digital services in the EU with a focus on ensuring a high level of protection for citizens and a level playing field for all market players” (which can be found here).

Key areas of potential change for marketers

There are a number of areas of potential change which might directly or indirectly affect marketers. Here, we summarise just two of those:

– The rules on cookies and similar technologies

In their opinions, both the Art29WP and the EDPS condemn the practice of using cookie walls, which they consider deny access to users that do not accept cookies with potentially high privacy risks for users. They invite the European Commission to either include an outright prohibition on such “take it or leave it” choices (with some exceptions) or to include a non-exhaustive of circumstances in which such forced consent would be prohibited. While the latter option would provide some flexibility; this flexibility, in turn, could cause further legal uncertainty in an area already clouded with ambiguity.

The review considers the practice of websites to deny access to those users who refuse to accept cookies (or other technologies) – the so-called “cookie walls” – and questions whether users’ consent can truly be “freely given” in those circumstances. It also questions in what circumstances users should be asked for their consent and whether asking for consent may disrupt the internet experience.

– The rules on direct marketing

The review questions whether Member States should retain the possibility to choose between an opt-in and an opt-out regime for live marketing calls.Organisations such as the Direct Marketing Association (the “DMA“) are lobbying the European Commission to retain Member States’ discretion on whether opt-in consent is required for telemarketing. In its response to the review of the e-Privacy Directive, the DMA asserts that those organisations that flagrantly breach existing direct marketing laws will continue to do so, irrespective of whether an opt-in or an opt-out is required. In its opinion, the only organisations that would be penalised by a change in the rules are legitimate telemarketers.Perhaps unsurprisingly, the opinions of the Art29WP and the EDPS are not in marketers’ favour. While those opinions are not binding, they do carry a certain amount of influence. Similarly, unlawful direct marketing is one of the areas in which regulators, including the UK’s Information Commissioner’s Office (the “ICO“), are most active in exercising their enforcement powers. It is seen as an area in which the risks and potential harm to the rights and freedoms of individuals are at their highest.In short, there is a significant chance that the rules will get stricter for marketers. The question is, how much stricter and what will that look like in practice?

In its response to the review of the e-Privacy Directive, the ICO also advocates a harmonised opt-in approach to all direct marketing channels. It says that “the privacy implications of receiving unwanted telemarketing calls are at least as great – and arguably greater, particularly for some vulnerable people – than other channels which already require an opt-in”.

Regulators have regularly frowned on how businesses have chosen to implement the rules on cookies, but the current ambiguity in the e-Privacy Directive has left them with little room to do very much about it. That may change if their opinions are followed…

Why this matters:

Both the Art29WP and the EDPS recommend that opt-in consent is required for all types of unsolicited marketing communications, irrespective of the means. This could have a significant impact on telemarketers in the UK, who are currently able to rely on an opt-out unless the recipient has registered with the TPS.

Currently, opt-in consent is required to send unsolicited marketing communications by electronic means (i.e. by SMS, e-mail, automated calls etc.) to “individual subscribers”, unless the “soft opt-in rule” can be relied on. Conversely, it is left to individual Member States to determine whether opt-in consent is required for live marketing calls.